Hello SharePoint guys,
In my day-to-day and research tasks, I often create app principals in SharePoint Online. They might have various privileges according to my needs. (Read-Only, Write, Full Control on Lists, Webs or Site collections). One thing I never needed to use so far is an App Principal with Full Control privileges on the whole tenant.
Actually, there are some unusual steps to achieve comparing to other scenarios. I then decided to write down a few words about my own investigations and hope it will help !
My external management app (not a SharePoint add-in) requires app-only full privileges on the whole tenant.
Trying the usual way
I go to the default site collection of my tenant and reach the usual appregnew.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appregnew.aspx) and register my app principal.
As usual, I need to keep the generated info in a safe location… (Client Id, Client Secret)
The usual second step to achieve is to grant my app principal the permissions I want it to have, I need to go to the appinv.aspx page (https://yourtenant.sharepoint.com/_layouts/15/appinv.aspx). Lookup my app Id and give it the proper permissions XML.
I know the XML must be
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" /> </AppPermissionRequests>
And I know I’ll be redirected to a page asking me if I trust this application, but…
There are 2 unusual things here:
- A red message that reads “Your tenant administrator has to approve this app.“
- The greyed out “Trust it” button that I usually need to click
Well, pretty annoying since I am currently the tenant administrator….
Ok, Let’s adapt…
I suspect, for some security reasons I need to do it from the SharePoint admin center. I will probably have to register the app principal from https://yourtenant-admin.sharepoint.com/_layouts/15/appregnew.aspx …
By the way, it is a quite odd error message because, I am still logged in as the tenant administrator.
OK, I cannot create a new app principal from the SharePoint Admin center but maybe I can grant permissions to the one I created previously ? Let’s try it !
I go to https://yourtenant-admin.sharepoint.com/_layouts/15/appinv.aspx, Hey I reach a page !
Except some different styling, this page looks familiar ! I try to lookup for my App Id and I find it !
Let’s enter the permissions XML here and click Create.
It looks like it is working !
OK, Last thing is to make sure my app principal has the proper permissions. In a PowerShell console with PnP PowerShell properly installed, enter the following commands
$ Connect-PnPOnline https://<your-tenant>-admin.sharepoint.com -AppId <your-app-id> -AppSecret <your-app-secret>
I get the list of the available site collections which means my credentials are valid !
This seems to be a behavior that changed over time (at least on SharePoint Online, you might find some outdated content on the Internet saying you can use the regular way to give tenant-scope privileges to app principals but it is no longer valid since august 2016.
After my own investigations, I wanted to confirm them and after a bit of googling I found this : https://msdn.microsoft.com/en-us/pnp_articles/how-to-provide-add-in-app-only-tenant-administrative-permissions-in-sharepoint-online (as always a PnP article 😉 Damn, they cover so much ! Thanks guys !)
I hope this will help people who encountered the same issue as I did. Do not hesitate to leave comments !
See ya !